Are You the Weak Link?

View more from the

Companies are more security conscious than ever, lavishing attention on sophisticated technologies and physical defenses to safeguard their intellectual capital. But they’ve neglected the weakest link: their employees. It’s these frontline and midlevel workers who intruders increasingly target and who unwittingly give away the keys to the kingdom.

I know, because I used to be a hacker. I discovered how easy it was to dupe employees into giving me their companies’ most sensitive information—user names, passwords, account and dial-up numbers—and use it to hack into the heart of their networks. My cleverness landed me in federal prison for five years. But since my release in 2000, I’ve worked to help businesses and government shore up their defenses. Here’s what I tell them.

The Sinister Art of Persuasion

The greatest misconception about security is that a computer is the hacker’s most dangerous tool. Not so. It’s the phone. As security technologies improve, attackers are resorting to old-fashioned con games to get what they want. Why pound on the heavily defended corporate firewall when it’s easier to just trick the assistant who answers the phone into revealing his boss’s password?

Attackers who talk their way into a company’s “secure” systems are skilled at exploiting basic human nature to manipulate their unwary targets. That’s why I call them social engineers. (The term was first used by early phone hackers to describe deceiving phone company employees into revealing proprietary information.)

Drawing on 50 years of behavioral science research, Arizona State University psychology professor Robert Cialdini argues that persuasion works by appealing to a few fundamental facets of human nature: the desire to be liked, to reciprocate, to follow others’ lead, to follow through on public commitments, to acquire things in scarce supply, and to defer to authority. I’d add to this list that most people are reflexively trusting and give others the benefit of the doubt—traits that make the social engineer’s job all the easier.

Being aware of how persuasion works is the basis for erecting defenses against these attackers, as I’ll show. But first, consider this fictional account—a composite of real cases—of a social engineer who installs a keystroke logger (a type of computer wiretap) into a senior executive’s computer.

The phone rings in HR at a large publishing house in New York.

“Human resources. This is Sarah.”

“Hi, Sarah. This is George in the parking garage. We’ve had a problem with the parking access cards—some new employees are complaining they’re not working. So we need to reprogram the cards for the new hires that have started within the past 30 days. How can I get hold of the newbies?”

“Well, I’m just heading out on break. Can I call you back in half an hour or so?”

“Sure.”

When “George” calls Sarah back, she produces the names and numbers of two recent hires, and she volunteers that one is the new VP, and the other is Clark Miller, an administrative assistant in finance. Bingo. George’s next call, around six o’clock that evening, is to Clark.

“Finance. Clark speaking.”

“I’m glad I found somebody working late. Listen, this is Ron Vitarro. I’m the VP of the book division. I don’t think we’ve been introduced. Welcome to the company.”

“Oh. Thank you.”

“Clark, I’m at a conference in Los Angeles, and I’ve got a crisis. I know you’re busy, but help me out, and I’ll personally show you around the division.”

“Of course. What can I do?”

“Go up to my office. There’s a manuscript I need. Do you know where my office is?”

“No.”

“It’s the corner office on the 15th floor—room 1502. I’ll call you there in a few minutes. When you get to the office, you’ll need to press the call-forward button on the phone so my call won’t go directly to my voice mail.”

“Okay. I’m on my way now.”

Ten minutes later, Clark is in Ron Vitarro’s office, has canceled Ron’s call forwarding, and is waiting when the phone rings. Our social engineer, posing as Ron, tells him to launch Internet Explorer on Ron’s computer, type in www.geocities.com/ron_vitarro/manuscript.exe, and hit Return.

A dialog box appears, and the impostor tells Clark to click Open instead of Save. The computer appears to start downloading a manuscript, but then the screen goes blank. When Clark reports that something seems to be wrong, the caller plays along.

“Oh, no. Not again. I’ve been having a problem downloading from that Web site, but I thought it was fixed. Well, okay. Don’t worry. I’ll figure out another way to get the file later.”

Then he asks Clark to restart the computer so Ron can be sure it is working properly. He talks Clark through the steps for rebooting. When the computer is running again, he thanks Clark warmly and hangs up. Clark returns to his desk, pleased that he’s made this good contact with a VP.

Of course, Clark doesn’t know he’s been duped by a clever social engineer, and he has just helped a hacker install spy ware on the VP’s computer. The new software would record Vitarro’s every keystroke—e-mail, passwords, Web sites visited—along with screen shots, and e-mail them to the hacker’s anonymous, free mailbox in Ukraine.

Like most such scams, this one required limited technical expertise (disguising spy ware as a manuscript) and a little planning. The hacker had to gather certain information in advance—Vitarro’s office location, the times that he would be out, and so forth. But details of this sort are easily discovered with tactics no more complicated than getting the list of new employees.

Using techniques like these, social engineers can gain control of a company’s computer and telephone systems, convince security guards and other workers that they’re employees, hijack senior executives’ cell- and home-phone voice mail, and access a company’s complete customer list, financials, and product development plans. And that’s just the beginning.

Most companies have virtually no defenses against social engineers. But every company should take a few simple steps to mitigate this glaring weakness.

What You Can Do

The message must come from the top that every employee is vulnerable to the social-engineering threat, and every employee is part of the security team. This is not a job the “security guys” in facilities and IT can do alone.

The message must come from the top that every employee is vulnerable to the social-engineering threat, and every employee is part of the security team.

It’s crucial that you alert people at all levels about the nature of the threat, the consequences of social-engineering break-ins, and the security policies in place. If you don’t have a policy that specifically addresses social-engineering tactics, develop one. It should cover rules governing computer and voice-mail passwords, how to handle suspicious callers, the need to challenge unidentified visitors, and so on.

Whatever form it takes, your education program should raise (and maintain) awareness and motivate the workforce to care about information security. It should reinforce the company’s written policy by describing how to recognize and foil a social-engineering attack. And, because people are quick to tune out old, too-familiar messages, it must provide novel and continuing reminders.

Approaches may include role-playing exercises, e-mail and voice-mail reminders, and security columns in the company newsletter and on the intranet. You could also rank security awareness on employee performance reports and annual reviews. And you could even try gimmicks like fortune cookies in the cafeteria that contain security messages. (A fortune might advise, “Never use your child’s birth date as a password!”)

Finally, as every manager knows, no amount of training and policy making will work if employees don’t take responsibility for the problem. The key to getting people to buy in to any effort is to appeal to their self-interest. Rewards for good security behavior (and sanctions for disregarding policy) are important. Above all, though, employees must appreciate that social-engineering attacks can threaten them individually, as well as damage the organization. Companies, for instance, keep private information about every employee, from social security numbers to direct-deposit account numbers, that social engineers may be eager to get their hands on.

Many security approaches to threats from social engineering are common sense, but not every vulnerability is obvious. A security firm that specializes in probing for weaknesses and shoring up defenses can help. Security consultants can conduct penetration tests using the same techniques that enemies will use to steal or destroy your valuable information. The experience of being probed this way can be alarming, which is just the point.

Kevin D. Mitnick is cofounder of Defensive Thinking, a Los Angeles–based information security firm, and is coauthor with William L. Simon of The Art of Deception (John Wiley & Sons, 2002), from which this article is adapted.

Partner Center

The email and password entered aren’t matching to our records. Please try again, or reset your password. If you have a username from our previous site, start by using that. Please See our FAQ for more.

If you are signing in for the first time on the new HBR.org but have an existing account, please enter your existing user name and password to migrate your account.Please see Frequently Asked Questions for more information.